Applying Security Lessons from Private Industry to the Government Sector

The Defense Department continues to struggle to keep secret data from being leaked by employees or contractors or posted online by anonymous hackers. A recent report by the DoD Office of Inspector General lists Increasing Cyber Security and Cyber Capabilities as a top-10 challenge for 2018. What security lessons can the DoD and other Government agencies take from private industry to help address this challenge?

Making cost-benefit choices about which systems to defend and how to defend them based on the likelihood of an asset being attacked, the value of the asset being attacked, the cost of defending the asset, and the cost of losing the asset.

Identifying critical data is a critical step for all agencies. Private-sector breaches have illustrated the breadth of data available and targeted by hackers. The Department of Defense might be top-of-mind in terms of assets to protect, but all agencies have ‘crown jewels’ that require protection. For example, the 2014 breach at the US Office of Personnel Management (OPM), impacted personnel records and security-clearance files of at least 22 million people. Data such as mental health history, criminal records, financial data, and fingerprints were included in these files. Officials have said that this kind of detail makes it likely that foreign governments will try to use the data to identify US operatives, particularly those in intelligence roles.

Dr. Martin Casado, Senior VP at VMware, stressed that a sole focus on perimeter-centric defense is no longer effective, stating:

“Perimeter-centric cyber security policies, mandates, and techniques are necessary, but insufficient and ineffective in protecting U.S. government cyber assets alone.”

Ken Schneider, VP at Symantec, reiterated the need for a cyber-aware workforce, enabled by initial and refresher training and simulated security drills. In addition, he recommended use of the National Institute of Standards and Technology’s (NIST) Cyber security Framework – itself the result of a successful collaborative public-private effort – as a tool that can be equally useful to Federal agencies to build out a cyber security program or to assess an existing one.

Larry Clinton, CEO of the Internet Security Alliance, strongly advocated for an increase in Government spending. The statistics he cited regarding the difference between private sector and government spending are dramatic: Private-sector spending on cyber security has nearly doubled in the last several years to $120 billion annually, while federal non-defense spending on cyber security this year will be between $6 and $7 billion. Private-sector spending on cyber security will increase 24 percent next year. Federal government spending is increasing about 11 percent.

He noted that the lack of spending has impact on the Government’s ability to compete with the private sector for scarce cyber security professionals, and cites this as a “tendency to focus more on buying technical solutions than on people to operate that technology.”

Finally, those in both the private-sector and Government are increasingly stressing the need for ongoing information sharing. Check out our previous blog post where we highlighted the importance of harnessing the wisdom of the crowd and collaborating.

Marianna Noll is a Maryland-based writer with an interest in the impact that technology has on organizations and users. She writes about software, user adoption and engagement with software, and IT security.